CBI regulated firms, including fund service providers, increasingly rely on outsourced service providers (“OSPs”). The CBI recently conducted a cross sector survey of regulated firms and their outsourced activities (“the Survey”). A total of 185 financial services firms (including 82 asset management sector firms) were surveyed covering 7,700 outsourcing agreements. On 19th November 2018, the CBI published a paper on its key findings and evolving trends around outsourcing.

Key Findings

The findings included in part A of the paper focus on the three key areas of governance, risk management and business continuity management.

Governance

The CBI has found significant shortcomings in boards’ awareness and control of the extent of reliance of their respective firms on OSPs. It is noted that “chain-outsourcing” arrangements, whereby OSPs engaged by the regulated firm have themselves outsourced certain related activities to other OSPs, further exacerbate the complexity of outsourcing arrangements. They also dilute the level of board control. For the purposes of safeguarding an appropriate level of board awareness and control, the CBI emphasises the importance of robust outsourcing strategies and policies.

The CBI also notes a failure, in many cases, by firms to put in place appropriate contractual arrangements supported by service level agreements (“SLAs”).

Risk Management

The CBI warns against over-reliance on the first line of defence for assurance around outsourcing arrangements, while the second line (including the risk function) may be unaware of outsourced activities and related responsibilities. A strong outsourcing risk management framework is vital for the effective monitoring and mitigation of any risk. This becomes particularly obvious when taking into consideration that 41% of all outsourcing arrangements are deemed critical or important in nature.

The paper also highlights the following issues with many respondent firms:

Failure to retain appropriate in house skills to oversee outsourcing arrangements and if necessary repatriate these services.

Business Continuity Management

The Survey revealed a number of deficiencies with respect to business continuity management in regulated firms. Areas of particular concern are deficiencies in business continuity testing and a failure to maintain “exit strategies” or repatriation contingency plans.

Evolving Trends

In Part B of the paper, the CBI outlines evolving outsourcing trends and seeks to initiate discussion.

The Survey highlighted that fund servicing firms are often delegating “critical and important services” to a small number of providers. It highlights outsourced fund administration/NAV calculation and cloud computing services as areas that pose “a significant degree of concentration risk”.

It sees risks arising from the use of outsourced data storage to sensitive data, particularly arising from the use of cloud services. The Survey points out that 40% of respondent firms used third party cloud computing firms.

With regard to concentration risk, firms may believe that their outsourced services are sufficiently diversified, when, in fact, the functions are in turn outsourced to a small number of OSPs via a chain-outsourcing agreement. The CBI points out, for example, that 16 fund servicing firms have a total of 186 outsourcing arrangements with one single provider. It also points out that firms in other sectors use measures such as dual outsourcing arrangements and shorter duration contracts to mitigate outsourcing concentration risk.

Concentration risk also arises from the fact that some 53% of the arrangements are spread across only five countries, namely the UK, US, India, Germany and France. Outsourcing to foreign jurisdictions/offshoring can involve risks such as changes in regulatory environment, political climate or physical climate for example. The most prominent current example for this is regulatory change as a result of Brexit.

Next Steps

Fund service providers will need to review their current practices and make any necessary enhancements to mitigate any increasing outsourcing risk profile. The CBI’s ongoing supervision of regulated firms will likely centre around the key considerations outlined in this paper and it expects regulated firms to take all appropriate action to address the issues described. The CBI will likely seek evidence of updates to risk management frameworks to ensure the paper has been considered and an examination of outsourcing arrangements has been conducted.

The CBI has invited comments on the paper to be submitted by 18th January 2019. The CBI intends to organise an industry event to discuss the paper and the submissions it has received in 2019.